CVE-2006-0921

Name of the Vulnerable Software and Affected Versions FCKeditor version 2.0 FC

Description The issue allows remote attackers to list and create arbitrary directories due to multiple directory traversal vulnerabilities in connector.php. This is achieved by using a .. (dot dot) in the CurrentFolder parameter to (1) GetFoldersAndFiles and (2) CreateFolder API endpoints.

Recommendations For FCKeditor version 2.0 FC, consider restricting access to the GetFoldersAndFiles and CreateFolder functions until a patch is available, and avoid using the CurrentFolder parameter with unvalidated input to minimize the risk of exploitation.